Field of the Invention
The present invention relates to behavioral type electronic commerce fraud prevention systems, and more particularly to scoring methods to promptly access the risk of consumer fraud to merchants in particular transactions according to a dossier of user devices and behavior analyses.
Background
Up until recently all that has been required of a fraudster to spoof a commercial website into completing a card-not-present retail transaction is a few stolen details that can be provided anonymously. Controlling the resulting loses has proven to be very difficult and expensive. The most cost effective way to deal with fraud would be to stop it before it has a chance to be completed. Once completed, detecting and recovering from the fraud has always been very costly.
The world is not so small as it once was where we all knew each other on sight and understood through past experience who could be trusted. In nineteenth century America, households universally ran tabs at the corner grocery store and paid the tabs at the end of the month. Nobody ever required credentials to be presented, you were recognized immediately. Today, we very rarely have retail situations where the merchants and customers know each other. On-line transactions are even worse, they provide automatic anonymity and quick, easy escape.
It seems obvious that collecting personal information from the users would be a good way to authenticate each user so the details could then be used as keys to authorize subsequent transactions. But very strong political groups have pushed back and prevented authentication technologies that would collect and use personally identifiable information (PII). In some jurisdictions, laws have been enacted to make the practices illegal.
Indirectly, users can be authenticated and the risks of fraud can be reduced by inspecting the personal trusted devices they use and the ways real users behave when navigating webpages. This wasn't possible when phone orders were placed using wireline telephones before Caller ID was mandated. Now, highly distinctive personal trusted user devices, like smartphones and laptops, are being used to place retail orders.
Although there are a billion different users and devices possible, there are trillions of different ways the individual user devices can be configured and ways the users themselves behave. Given that enough descriptors can be collected, it would be possible to uniquely identify each user and their devices with very high confidence. Certainly enough to take away a large part of the risk away from on-line transactional fraud.
CitiBusiness®Online is trying to do something about online fraud. This year they are recommending to their business customers various ways to protect themselves. These include advising consumers to (1) Install and use anti-virus and anti-spyware software on computers used to perform online banking; (2) Consider having more than one individual with access to critical online banking services in the event that a user cannot sign-on; (3) Sign up for available account activity email and SMS text alerts; (4) Require dual approval, e.g., maker and checker, for all financial transactions such as ACH, wires, bill payment and payroll management; (5) Monitor and reconcile account activity daily, and report any unauthorized transactions immediately; (6) Set up at least one system administrator to control user entitlements; and, (7) Conduct all banking activities from a stand-alone and completely locked down computer systems, and from which email and web browsing are not possible. These measures are difficult for most users to manage, and only skirt the problems by pushing vigilance of fraud onto the consumer.
What is also needed is a centralized webserver service configured to defend merchant websites from fraudsters.
ThreatMetrix, Inc. (San Jose, Calif.) is marketing a TrustDefender™ Mobile security product described as context-based authentication and fraud protection for mobile devices. A Whitepaper published online by ThreatMetrix says its Mobile Device Analytics technology uses two ways to uniquely fingerprint mobile and PC user devices to detect cybercriminals and authenticate returning customers. An Exact-ID provides positive identification and context-based authentication based on cookies and multiple device identifiers across PCs and mobile devices. A Smart-ID provides cookie-less device identification using dynamic attribute matching based on from network packet and browser fingerprints instead of static fingerprint matching. The Smart-ID technology uses a machine learning approach that takes into account per-customer and global device profile patterns to generate reliable device identifiers with confidence. In contrast to fingerprint methods that are effectively static, Smart-ID is said to provide adaptive, cookie-less identification that is tolerant to incremental and non-linear changes.
Both Technologies are claimed to be globally unique. Each are generated in real-time based on data collected for that transaction. The data collected is matched against “billions” of device profiles stored in the so-called “ThreatMetrix Global Trust Intelligence Network.” Such is used to identify both trusted users and known high risk attackers. It cross-correlates hardware, operating systems, applications, internet protocols and location-centric factors in a multi-factor authentication for spoof detection.
The device attributes in mobile devices are described in the WhitePaper as being different than those in laptop/desktops, so different techniques and algorithms are needed to profile mobile-specific data. The mobile device attributes that can be collected include IMEI data, carrier information, protocol information, SIM card-related information, mobile device attributes, mobile device configuration related information, and other supported mobile device identifiers. GPS coordinate data can be used in authentications, but only if the user has granted the applicable permissions.
Operating system, application, browser and network packet behavior, and other forensics are used by ThreatMetrix to detect malicious threats associated with transactions. Packet headers and their changes in state over time are analyzed to determine if the source is malicious or not. Hidden risks are detected by examining anonymous packet header data each time the a user requests a webpage. This can help determine whether the originating device is being masked or tunneled by anonymous or hidden proxies or subject man-in-the-middle attacks.
Various conventional techniques are described in the WhitePaper to detect threats. E.g., Detection of VPN use; Detection of out-of-country satellite; dialup or mobile broadband connections; Proxy piercing to detect true IP address and true geolocation data; Detection of mismatch between operating system information detected by the browser and operating system information reported by packet information; and, Detection of device anomalies that suggest a jail-broken device or a transaction spoofing mobile device properties.
ThreatMetrix describes using webpage fingerprinting to detect changes to webpages by malware or Man-In-the-Middle and Man-In-the-Browser attacks. Such whitelisting technology is said not to depend on traditional malware signature matching. Attempts by malware to modify the webpage by introducing any new elements or JavaScript is instantly recognized. When combined with other packet and browser based indicators, ThreatMetrix claims to provide high confidence scoring of malware on the PC or mobile device.
Context data is used for analysis and risk scoring, as well as for building a personal-ID that represents a digital fingerprint of a user. Transaction data describes how a given user interacts and behaves, and provides an additional context to square historic behavior with a current action.
ThreatMetrix customers are asked to forward hundreds of user device attributes they have access to when a user logs onto their webpages. These user device attributes represent digital fingerprints of users and are forwarded in real-time to the “global network.” The information is typically encrypted using private keys. The ThreatMetrix global network server works to identify returning customers and computes a baseline for good behavior.
U.S. Pat. No. 8,141,148, titled, Method and System for Tracking Machines on a Network Using Fuzzy GUID Technology, describes cookie-less device identification and global device recognition. It claims to be impervious to cookie deletion and copying. The technology is described as being included in the ThreatMetrix SmartID™, which uses device fingerprint attributes to assess online transaction risks.
U.S. Pat. No. 8,176,178, titled, Method for Tracking Machines on a Network Using Multivariable Fingerprinting of Passively Available Information, describes a device recognition risk-assessment method to detect cybercriminals who use proxies and VPNs. It looks into historical information related to user devices. This can help understand the true geo-locations of user devices and thereby improve the detection of cybercriminals.
Conventional, Boolean Logic sorts information into black/white, yes/no, true/false, and day/night binaries. Fuzzy Logic allows for a middle ground, it allows for shades of gray, the partially true and partially false that make up much of day-to-day human reasoning.
Fuzzy Logic is a superset of conventional logic that has been extended to include truth values between “completely true” and “completely false”. Fuzzy Logic alone is not capable of recognizing an individual device. The main benefit of using Fuzzy Logic is it allows a confidence score between zero and one to be computed, as opposed to take it or leave it binary results of just true or false. Individual elements can then belong to two different fuzzy sets, not just one set as in classical logic.
Device identifications based on fuzzy logic, business rules, statistics, or neural networks can only be taken so far. The calculation of device ID's is unfortunately limited by the facts that can be extracted from the available browser, operating system, JavaScript version, language employed, plugins installed, font choices, IP-address, geo-location, screen resolution settings, HTTP header, and connecting user agent information. These data provide over a hundred points that can be used to search for comparables in its exiting records that were fashioned from previous website visits.
Conventional techniques try to compare devices in each new connection to those encountered before and characterized in its database of records. For example, using a set of rules and/or probabilities and or neural networks and or fuzzy logic to provide a score between [0, 1] to identify the device.
These simple techniques can only work if the device parameters do not change too much since the last visit and are relatively stable. Such simple technology can be challenged and fail if called on to recognize devices which have been refreshed into obscurity by device updates and upgrades.